基于攻击规划图的实时报警关联方法

针对报警因果关联分析方法存在无法及时处理大规模报警且攻击场景图分裂的不足,提出一种基于攻击规划图(APG)的实时报警关联方法。该方法首先给出APG和攻击规划树(APT)的定义;其次,根据先验知识构建APG模型,并提出基于APG的实时报警关联方法,重建攻击场景;最后,结合报警推断完善攻击场景和预测攻击。实验结果表明,该方法能够有效地处理大规模报警和重建攻击场景,具有较好的实时性,可应用于分析入侵攻击意图和指导入侵响应。

Real-time alert correlation approach based on attack planning graph

The alert correlation approach based causal relationship has the problems that it cannot be able to process massive alerts in time and the attack scenario graphs split. In order to solve the problem, a novel real-time alert correlation approach based on Attack Planning Graph (APG) was proposed. Firstly, the definition of APG and Attack Planning Tree (APT) were presented. The real-time alert correlation algorithm based on APG was proposed by creating APG model on basis of priori knowledge to reconstruct attack scenario. And then, the attack scenario was completed and the attack was predicted by applying alert inference mechanism. The experimental results show that, the proposed approach is effective in processing massive alerts and rebuilding attack scenarios with better performance in terms of real-time. The proposed approach can be applied to analyze intrusion attack intention and guide intrusion responses.